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Resource Public Key Infrastructure (RPKI) Router Implementation Report 
Abstract 


This document is an implementation report for the Resource Public Key 
Infrastructure (RPKI) Router protocol as defined in RFC 6810. The 
authors did not verify the accuracy of the information provided by 
respondents. The respondents are experts with the implementations 
they reported on, and their responses are considered authoritative 
for the implementations for which their responses represent. The 
respondents were asked to only use the "YES" answer if the feature 
had at least been tested in the lab. 


Status of This Memo 


This document is not an Internet Standards Track specification; it is 
published for informational purposes. 


This document is a product of the Internet Engineering Task Force 


(IETF). It represents the consensus of the IETF community. It has 
received public review and has been approved for publication by the 
Internet Engineering Steering Group (IESG). Not all documents 


approved by the IESG are a candidate for any level of Internet 
Standard; see Section 2 of RFC 5741. 


Information about the current status of this document, any errata, 


and how to provide feedback on it may be obtained at 
http://www.rfc-editor.org/info/rfc7128. 
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Les 


Introduction 


In order to formally validate the origin Autonomous Systems (ASes) of 
BGP announcements, routers need a simple but reliable mechanism to 
receive Resource Public Key Infrastructure (RPKI) [RFC6810] prefix 
origin data from a trusted cache. The RPKI Router protocol defined 
in [RFC6810] provides a mechanism to deliver validated prefix origin 
data to routers. 


This document provides an implementation report for the RPKI Router 
protocol as defined in RFC 6810 [RFC6810]. 


The authors did not verify the accuracy of the information provided 
by respondents or by any alternative means. The respondents are 
experts with the implementations they reported on, and their 
responses are considered authoritative for the implementations for 
which their responses represent. Respondents were asked to only use 
the "YES" answer if the feature had at least been tested in the lab. 


Implementation Forms 


Contact and implementation information for person filling out this 
form: 


IOS 
Name: Keyur Patel 
Email: keyupate@cisco.com 
Vendor: Cisco Systems, Inc. 
Release: IOS 
Protocol Role: Client 


XR 
Name: Forhad Ahmed 
Email: foahmed@cisco.com 
Vendor: Cisco Systems, Inc. 
Release: IOS-XR 
Protocol Role: Client 


JUNOS 
Name: Hannes Gredler 
Email: hannes@juniper.net 
Vendor: Juniper Networks, Inc. 
Release: JUNOS 
Protocol Role: Client 
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rpki.net 
Name: Rob Austein 
Email: sra@hactrn.net 
Vendor: rpki.net project 
Release: <http://subvert-rpki.hactrn.net/trunk/> 
Protocol Role: Client, Server 


NCC 
Name: Tim Bruijnzeels 
Email: tim@ripe.net 
Vendor: RIPE NCC 
Release: RIPE NCC validator-app 2.0.0 <https://github.com/RIPE-NCC 
/rpki-validator> 
Protocol Role: Server 


RTRlib 
Name: Fabian Holler, Matthias Waehlisch 
Email: waehlisch@ieee.org 
Vendor: HAW Hamburg, FU Berlin, RTRlib project 
Release: RTRlib 0.2 <http://rpki.realmv6.org/> 
Protocol Role: Client 

BBN 
Name: David Mandelberg, Andrew Chi 
Email: dmandelb@bbn.com 
Vendor: Raytheon/BBN Technologies 
Release: RPSTIR 0.2 <http://sourceforge.net/projects/rpstir/> 
Protocol Role: Server 

3. Protocol Data Units 


Does the implementation support Protocol Data Units (PDUs) as 
described in Section 5 of [RFC6810]? 


PO: Serial Notify 
Pl: Serial Query 
P2: Reset Query 
P3: Cache Response 
P4: IPv4 Prefix 
P6: IPv6é Prefix 


P7: End of Data 
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Cache Reset 


P8: 


Error Report 


P10: 
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Error PDU gets silently ignored. 
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Note 1: 
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ocol Sequence 


the RPKI Router protocol implementation follow the four protocol 
neces as outlined in Section 6 of [RFC6810]? 


Start or Restart 
Typical Exchange 
No Incremental Update Available 


Cache Has No Data Available 


4+----- 4+----- 4+------- 4+-------- 4+--------- 4+------ 4+-------- 4+------- + 
| tos | xR | JUNOS | rpki |  rpki | Ncc | RTRlib | BBN | 
net .net 
clnt srvr 
4+----- 4+----- 4+------- 4+-------- 4+--------- 4+------ 4+-------- 4+------- + 
| yes | TES | YES: | YES | YES | yes | YES | YES | 
| yes | yes | yes | yes | yes | noi | yes | YES: | 
| yes | yes | ES | YES | YES | YES | YES | YEs | 
| yes | yes | yes | yes | yes | yes | yes | YEST2 | 
4+----- +----- 4+------- 4+-------- 4+--------- 4+------ 4+-------- 4+------- + 
1: Does not implement Serial Query, thus Incremental Update is 


never available, so responds to Serial Query with Cache 
Reset as described in Section 6.3 of [RFC6810] 


2: Sends Cache Reset in response to Serial Query when no data; 
sends Error Report PDU in response to Reset Query when no 
data. 
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Does the RPKI Router protocol implementation support the different 
protocol transport mechanisms outlined in Section 7 of [RFC6810]? 


4+--------- 4+----- 
| | TOS 
| | 

| | 
4+--------- +----- 
| SSH | NO 
| TLS | NO 
| TCP | YES 
| TCP-MD5 | NO 
| TCP-AO | NO 
| IPsec | NO 
4+--------- 4+----- 


6. Error Codes 


Does the RPKI Router protocol 
protocol error codes outlined 


4+------- 4+----- 
| | IOs 
| | 
| | 
4+------- 4+----- 
| Rev.0 | YES 
| Snd.0 | YES 
| Rev.1 | YES 
| Snd.1 | YES 
| Rev.2 | YES 
Snd.2 | --- 
| Rev. 3 | YES 
| Snd.3 | --- 
| Rev.4 | YES 
| Snd.4 | YES 
| Rev.5 | YES 
Snd.5 | YES 
E e 
| Snd.6 | YES 
| Rev.” | === 
| Snd.7 | YES 
4+------- 4+----- 


Note 1: YES, 
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NO NO 
ES YES 
NO NO 
NO NO 


Se eee +------—- 
JUNOS | rpki 
| .net 
| clnt 
AAA AA +- 
NO | YES 
NO | YES 
NO | YES 
NO | YES 
NO | YES 
NO | YES 
E ae 
NO | YES 
NO | YES 
NO | YES 
NO | YES 
No | NO 
ee MS 
No | NO 
Lp Ya nas nt q +------—- 
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implementation support the different 
in Section 10 of [RFC6810]? 


-------- 4+-----+ 
RIRlib | BBN | 
| | 
| | 
-------- +-----+ 
YES | YEs | 
NO | NO | 
YES | YES | 
NO | NO | 
NO | NO | 
NO | NO | 
-------- 4+-----+ 
-------- 4+-----+ 
RIRlib | BBN | 
| | 
| | 
-------- 4+-----+ 
YES | YES | 
YES | YES | 
YES | YES | 
YES | YEs | 
YES | --- | 
--- YES 
ws |_| 
--- | YES | 
YES | YES | 
YES | YEs | 
YES | YES | 
YES YES | 
--- | YES 
YES | --- | 
--- | YES | 
YES | --- | 
-------- 4+-----+ 


so connection is dropped, but cache does 
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Does the RPKI Router implementation support Incremental Updates as 
defined in Section 4 of [RFC6810]? 


4+----- 4+----+------- 4------------ 
| tos | xR | JUNOS |  rpki.net 
| | | | clnt 
+----- 4+----+------- 4------------ 
| No | NO | YES | YES 
+----- 4+----+------- 4------------ 


8. Session ID Support 


+—+——+ 


Session ID is used to indicate that the cache server may have 
restarted and that the incremental restart may not be possible. 


Does the RPKI Router protocol implementation support the Session ID 
procedures outlined in Section 5.1 of [RFC6810]? 


4+----- 4+----- 4+------- 4+----------- 
IOS XR JUNOS rpki.net 
clnt 
4+----- 4+----- 4+------- 4+----------- 
| yes | yes | YES: | YES 
4+----- 4+----- 4+------- 4+----------- 
Note 1: NO, using random, 


+ 
| 
+ 


ae eae Sa Nd A ae te + 
rpki.net 
Srvr 
AA A A ARAS + 
YES | 
SS SS SS SS SS + 


but will FIX 


9. Incremental Session Startup Support 


Does the RPKI Router protocol implementation support Incremental 
session startups with Serial Number and Session ID as defined in 


Section 5.3 of [RFC6810]? 


+----- 4+----- +------- 4+----------- 4+------------- 
| tos | xR | JUNOS | rpki.net |  rpki.net 
| | | | clnt | srvr 
+----- +----- 4+------- 4+----------- 4+------------- 
| Yes | Yes | YES | YES | YES 
4+----- 4+----- 4+------- 4+----------- 4+------------- 
Bush, et al. Informational 


4+----- 4+-------- 4+----- + 
| Ncc | RTRlib | BBN | 
| | | | 
4+----- 4+-------- 4+----- + 
| No | yes | Aes: 
4+----- 4+-------- 4+----- + 
------ 4+--------+-----+ 
NCC RTRlib | BBN 

------ 4+--------+-----+ 
No~1 | YES | YES | 
------ 4+--------+-----+ 
4+----- 4+-------- 4+----- + 
| Ncc | RTRlib | BBN | 
| | | | 
4+----- 4+-------- 4+----- + 
| No | YES | YES | 
4+----- 4+-------- 4+----- + 
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10. 


10. 


10 


10. 


10. 


10. 


10. 


di. 


Interoperable Implementations 


List other implementations with which you have tested the 
interoperability of the RPKI Router implementation. 


1. Cisco Implementation 


Cisco: The Cisco IOS and IOS-XR implementation should be 
interoperable with other vendor RPKI Router Protocol implementations. 
In particular, we have tested our interoperability with rpki.net’s 
RPKI Router implementation. 


-2. Juniper Implementation 


Juniper: The Juniper Networks, Inc. JUNOS implementation should be 
interoperable with other vendor RPKI Router Protocol implementations. 
In particular, we have tested our interoperability with rpki.net's 
and NCC’s RPKI Router Cache implementation. 


3. rpki.net Implementation 

rpki.net: The rpki.net implementation should operate with other rpki- 
rtr implementations. In particular, we have tested our rpki-rtr 
server’s interoperability with Cisco IOS, Cisco IOS-XR, and Juniper. 
4. RIPE NCC Implementation 

RIPE NCC: The RIPE NCC validator has been tested by us with other 
rpki-rtr implementations. In particular, we have tested with RTRlib 
and CISCO IOS. We received positive feedback from close contacts who 
tested our validator with JUNOS and Quagga. 

5. RTRlib Implementation 

RTRlib: The RTRlib has been tested by us with other rpki-rtr 
implementations. In particular, we have tested with rtr-origin from 
rpki.net and RIPE NCC Validator. 

6. BBN RPSTIR Implementation 

BBN RPSTIR: We have not yet tested with any other implementations. 


Security Considerations 


No new security issues are introduced to the RPKI Router protocol 
defined in [RFC6810]. 
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